Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 01:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
15 signatures
150 seconds
General
-
Target
4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe
-
Size
379KB
-
MD5
4c4cd17bdb63a104dc280fc0fc59b094
-
SHA1
2de3371b4b698293ede15330bcff324df21b9a3d
-
SHA256
1848f280694dc28426a65fa65e66bea49ac6e4fc83f299acc3ae42d07bdae3d4
-
SHA512
80fb4dde68d652d581b76d0aa06d0d4f68c0b6cc8439386ce2e3ed1da47f3c2b437020d3fcd59ce2a4bd95e0cfa00a150040500dfddf5bc1b3142d1911d2d848
-
SSDEEP
6144:0l1OoQkb/M+91vSGf1FSdXzjrQv3BR7VSUMcA+9N5j83LyG7A7jLePas82/+tx:0pM+91H1FO8p1VStAB83YL8/+tx
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000C5A0F6C2A6DDB.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe -
Executes dropped EXE 1 IoCs
pid Process 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Security Center\svc 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\svc 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000C5A0F6C2A6DDB.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000C5A0F6C2A6DDB.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\DefaultIcon 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\open\command 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\start 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\.exe 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\ = "Application" 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\open 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\start\command 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\runas\command 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\runas 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\.exe\ = "043A6" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\Content Type = "application/x-msdownload" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\DefaultIcon\ = "%1" 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6A5B00014973000C5A0F6C2A6DDB\\043A6A5B00014973000C5A0F6C2A6DDB.exe\" -s \"%1\" %*" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\start\command\ = "\"%1\" %*" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\%s 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6\shell\runas\command\ = "\"%1\" %*" 043A6A5B00014973000C5A0F6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\043A6 043A6A5B00014973000C5A0F6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\%s\ = "043A6" 043A6A5B00014973000C5A0F6C2A6DDB.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1520 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 1520 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe 1448 043A6A5B00014973000C5A0F6C2A6DDB.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1520 wrote to memory of 1448 1520 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 85 PID 1520 wrote to memory of 1448 1520 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 85 PID 1520 wrote to memory of 1448 1520 4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe 85 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000C5A0F6C2A6DDB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\ProgramData\043A6A5B00014973000C5A0F6C2A6DDB\043A6A5B00014973000C5A0F6C2A6DDB.exe"C:\ProgramData\043A6A5B00014973000C5A0F6C2A6DDB\043A6A5B00014973000C5A0F6C2A6DDB.exe" -d "C:\Users\Admin\AppData\Local\Temp\4c4cd17bdb63a104dc280fc0fc59b094_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD54c4cd17bdb63a104dc280fc0fc59b094
SHA12de3371b4b698293ede15330bcff324df21b9a3d
SHA2561848f280694dc28426a65fa65e66bea49ac6e4fc83f299acc3ae42d07bdae3d4
SHA51280fb4dde68d652d581b76d0aa06d0d4f68c0b6cc8439386ce2e3ed1da47f3c2b437020d3fcd59ce2a4bd95e0cfa00a150040500dfddf5bc1b3142d1911d2d848